Difference between pages "Windows Shadow Volumes" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
(LZXPRESS)
 
Line 1: Line 1:
==Volume Shadow Copy Service==
+
{{Expand}}
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP.  The Shadow Copy Service creates differential backups periodically to create restore points for the user.  Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
+
  
In Windows 8 the shadow volumes seem to have been superseded by File History. For now it looks like it uses similar structures as its predecessors.
+
== LZ-based ==
  
== Also see ==
+
=== LZNT1 ===
* [[Windows]]
+
Used in:
* How to: [[Mount shadow volumes on disk images]]
+
* [[NTFS]]
 +
* [[Windows SuperFetch Format]]
  
== External Links ==
+
=== LZXPRESS ===
 +
Used in:
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
  
=== How to analyze Shadow Volumes ===
+
=== LZXPRESS Huffman ===
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
+
Used in:
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
+
* [[Windows SuperFetch Format]]
* [http://windowsir.blogspot.ch/2011/01/more-vscs.html More VSCs], by [[Harlan Carvey]], January 2011
+
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
+
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
+
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
+
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
+
* [http://journeyintoir.blogspot.ch/2012/01/ripping-volume-shadow-copies.html Ripping Volume Shadow Copies – Introduction], by [[Corey Harrell]], January 2012
+
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-method.html Ripping VSCs – Practitioner Method], by [[Corey Harrell]], February 2012
+
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-practitioner-examples.html Ripping VSCs – Practitioner Examples], by [[Corey Harrell]], February 2012
+
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-method.html Ripping VSCs – Developer Method], by [[Corey Harrell]], February 2012
+
* [http://journeyintoir.blogspot.ch/2012/02/ripping-vscs-developer-examples.html Ripping VSCs – Developer Examples], by [[Corey Harrell]], February 2012
+
* [http://journeyintoir.blogspot.ch/2012/02/examining-vscs-with-gui-tools.html Examining VSCs with GUI Tools], by [[Corey Harrell]], February 2012
+
* [http://dfstream.blogspot.ch/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html VSC Toolset: A GUI Tool for Shadow Copies], by [[Jason Hale]], March 2012
+
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
+
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
+
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
+
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
+
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
+
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre "Examining shadow copies without vssadmin, it's as easy as 1, 2, 3 (really)"], by [[Paul Sanderson]], January 2013
+
  
=== Shadow Volumes in depth ===
+
== External Links ==
* [http://www.qccis.com/docs/publications/WP-VSS.pdf Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7], by [[James Crabtree]] and [[Gary Evans]], 2010
+
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
+
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
* [http://code.google.com/p/libvshadow/downloads/detail?name=Volume%20Shadow%20Snapshot%20%28VSS%29%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow project]], March 2011
+
* [https://docs.google.com/file/d/0B3HVXW6sJsoCS09qZjFOUTdvTjg/edit?pli=1 File History Services], by [[Kenneth Johnson]], June 2012
+
* [http://code.google.com/p/libvshadow/downloads/detail?name=Paper%20-%20Windowless%20Shadow%20Snapshots.pdf Windowless Shadow Snapshots - Analyzing Volume Shadow Snapshots (VSS) without using Windows] and [http://www.basistech.com/about-us/events/open-source-forensics-conference/ OSDFC 2012] [http://code.google.com/p/libvshadow/downloads/detail?name=Slides%20-%20Windowless%20Shadow%20Snapshots.pdf Slides], by [[Joachim Metz]], October 2012
+
 
+
=== Other ===
+
* [http://lanmaster53.com/talks/#hack3rcon2 Lurking in the Shadows – Hack3rcon II]
+
* [http://pauldotcom.com/2012/10/volume-shadow-copies---the-los.html Volume Shadow Copies - The Lost Post], [[Mark Baggett]], October 2012
+
 
+
== Tools ==
+
* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
+
* [[libvshadow]]
+
* [[ProDiscover]]
+
* [http://www.shadowexplorer.com/ ShadowExplorer]
+
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
+
* [[X-Ways AG|X-Ways Forensics]]
+
* [http://sandersonforensics.com/forum/content.php?168-Reconnoitre Reconnoitre]
+
  
[[Category:Volume Systems]]
+
=== LZ1 ===
 +
* [http://andyh.org/LZ1.html LZ1]

Revision as of 02:14, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

LZ1